Axur's research and investigation team, Axur Research Team, confirmed this week the publication of 2.8 terabytes of data attributed to Brazilian healthcare Unimed RS on dark web forums, in an episode claimed by the Sarcoma ransomware group.

Incident Timeline

The case began on October 5, when Unimed Rio Grande do Sul identified a cyberattack on its systems. In a statement released the following day, the cooperative reported immediately activating its security protocols and notifying the relevant authorities. There was temporary unavailability of virtual channels, which was restored that same day, with no impact on patient care.

Ten days later, on October 15, the Sarcoma group publicly claimed responsibility for the attack, alleging it had extracted 2.8 TB of data, including SQL databases and images of identity documents. The disclosure occurred via Hackmanac, a profile known for tracking cybercrime movements.

Data Exposed on the Dark Web

According to the Axur Research Team's investigation, the data was effectively posted on the dark web on October 28, 2025.

The download was completed on October 31, revealing that the material was made available in 27 compressed parts, each approximately 100 GB.

Preliminary analysis indicates that the content includes SQL databases, identity documents, and internal files (meeting recordings), which required collecting this information from the victim's local system.

Leaked data by the Sarcoma group includes meeting recordings and identity documents.

"Double Extortion" Tactic and Sarcoma Group Patterns

Sarcoma is known for employing the "double extortion" strategy, combining data encryption with the threat of public leakage to pressure ransom payments in cryptocurrency. This approach has become one of the main weapons of ransomware groups targeting critical sectors such as healthcare, education, and government.

Healthcare Sector as a Target of Ransomware Attacks

Attacks of this type against medical institutions have been growing globally, driven by the value and sensitivity of the information stored. Electronic medical records, financial records, and patient data form a valuable asset for digital extortion groups. Incidents involving hospitals and health insurance providers have become critical points on the cybersecurity agenda.

Conclusion

The Unimed case reinforces the importance of independent cybersecurity intelligence sources in verifying leaks and analyzing TTPs (tactics, techniques, and procedures) employed by ransomware groups.

Access the bulletin generated by the Cyber Threat Intelligence solution to collect the TTPs here.

To follow updates on this and other incidents, follow Axur's blog. Axur clients have access to the complete report, with detailed analysis of this attack and the Sarcoma group.